(sorry if this starts a new thread, you folks answered before I had a
chance to subscribe :)
Jesse wrote:
> As for ruby-gnome2's other CVE fix, that was released earlier in a
> different update,
> https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216
So this getting into our system is an artifact of how we process the
alerts. Our program looks for CVE references anywhere in the alert and
believes the alert fixes those CVEs. In this case (and presumably
others), that CVE was fixed in an earlier release and only appeared in
the Changelog in the message.
I have sometimes wondered about those changelogs. It would seem to me
that unless they only refer to the changes since the last release, they
are fairly confusing to someone reading them. Is there a way for a
human (or program) to determine which of those changelog entries
actually correspond to the changes in the release that goes with the alert?
jake
--
Jake Edge - LWN - jake@xxxxxxx - http://lwn.net
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
